Cisco administration 101: Monitor network traffic with NetFlow

Are you familiar with Cisco's NetFlow technology? NetFlow is the new standard for network traffic analysis, and you can use it to see the utilization on a router — as well as the traffic that's causing the utilization. Here's an introduction to the benefits of NetFlow.

Let's say you want to begin collecting historical data about the network traffic flowing across your network. Perhaps you want to create charts and graphs of network utilization over time, maybe you want to charge back departments that are using the most network traffic, or maybe you just want to monitor link utilization over time.

If any of these network accounting scenarios sound appealing, you should familiarize yourself with Cisco's NetFlow technology. Let's take a closer look.

What is NetFlow?

NetFlow is a proprietary Cisco protocol, and all current Cisco routers and switches support this protocol. These devices record all traffic that traverses the network links and send detailed information concerning that traffic to a NetFlow collector using UDP packets.

NetFlow is the new standard for network traffic analysis; SNMP management just isn't sufficient anymore. Using NetFlow, you can see the utilization on a router — as well as the traffic that's causing the utilization.

What exactly defines a "flow"? According to Cisco, a flow is a unidirectional sequence of packets that share the following pieces of information:

Source IP address

Destination IP address

Source port number

Destination port number

Protocol

Because there are five components required to define a flow, Cisco calls this the 5-tuple (quintuple) traffic definition. Specific uses for NetFlow include network monitoring, application monitoring, user monitoring, network planning, security analysis, accounting and billing, and network traffic data warehousing and mining.

What's a NetFlow collector?

While it's great to be able to collect all of this data, you really want to be able to do more than that. To fully take advantage of the information, you need to actually analyze the statistics.

The first step is retrieval. How can you retrieve all of this important gathered data? Enter the NetFlow collector. This is a PC/server system that sits on the network and collects all of the data sent by the routers and switches.

To collect and analyze this data, you also need software. There are plenty of NetFlow applications available at a range of prices. It all depends on what you want to do and how many devices you have.

Does my router have NetFlow capabilities?

If you're wondering whether you can use NetFlow on your existing router or switch, you can use the Cisco Feature Navigator to determine which IOS is required. However, in general, to determine whether a device already has NetFlow, you can use the ip flow? command while in Global Configuration Mode. Here's an example:

Router# conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# ip flow?

flow-aggregation flow-cache flow-export

Router(config)# ip flow

If you see options like those listed above, your device should have the ability to send NetFlow data to a NetFlow collector. For more information, check out Cisco's Configuring NetFlow documentation.

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.